Research from Arbor ASERT from August described Fort Disco as a new PC botnet campaign designed to compromise targeted servers by trying to guess user credentials, primarily content management system (CMS) sites such as Wordpress and Joomla. "To date," the researchers said, "over 6,000 Joomla, WordPress and Datalife Engine installations have been the victims of password guessing."
Now, according to the Swiss security blog Abuse.ch, the cast of the net has been widened.
In a forensic analysis, Abuse.ch found that the malware is using HTTP POST and HTTP GET to communicate with its command and control (C&C) infrastructure. When talking to the C&C server, the infected computer (bot) first registers itself by sending a HTTP POST, and afterwards the bot will be able to retrieve commands from the botnet herder. If the botnet C&C responds with 5 zeros (0 0 0 0 0), there is no task for the bot. Otherwise, the C&C server will respond with a new task to execute, and will provide a link to a text file and a password.
The text file in the main variant of Fort Disco contains a huge list of exactly 5,000 websites that are running WordPress. These URLs points to PHP login scripts that handle the WordPress user authentication.
“It’s not hard to guess what is coming next: The bot will go through the whole list of WordPress websites it retrieved from the C&C server and will try to login to WordPress using the user name ‘Administrator’ and the password provided by the C&C server before”, Abuse.ch researchers explained.
But going down the rabbit-hole, as they put it, researchers found a Fort Disco sample that was brute-forcing POP3 iwebmail servers nstead of WordPress credentials. In this case, the text file sent from C&C appears to be a list of user names and domain names, followed by the responsible MX record that handles email for the particular domain name. The bot then goes on to try to brute-force POP3 credentials for these domain names, using the MX-record and user name that the bot retrieved from the C&C server before.
Another group of researchers at Shadowserver told the researchers that they have seen this malware family bruteforcing FTP credentials using the same methodology.
Whether it’s CMS, webmail or FTP sites, the goal is to get in and take control. The benefit of the Fort Disco targets can be roughly characterized as “more bang for the buck”—all of these server-side hosts offer a much higher bandwidth allocation than a home computer. The botmaster can also gain control over multiple sites at once, making it a perfect platform for sending out high volume spam and carrying out DDoS attacks.
The good news? “These brute-force attempts against WordPress should be easy to detect. First of all, the bot sends a poor HTTP referer to wp-login.php,” said Abuse.ch researchers. “This bot will omit the protocol name [i.e., it deletes the http:// part of the string]. Second, the malware misses three HTTP headers which are usually being sent to the remote webserver with every HTTP request when using a standard web browser. These three header fields are Accept, Accept-Encoding, and Accept-Language.”